I request my ISP to provide me /27 live IP for my local network devices, i got them but now i need help to route them to ISP network, ISP technical already did their setup and the IPs getting route to internet i did test with Cisco device. but don’t know how to setup it with a Mikrotik RB.
for example
they provide /29 for my WAN interface: 192.168.10.0/29
for my LAN or devices: /27 172.20.18.0/27
now i want to issue /27 to my devices, my local devices should be ping from out network.
The goal is clear, the details are not. It seems that the ISP sends traffic for those public IPs to you via your WAN address in the 192.168.10.0/29. You haven’t said whether they have configured this statically or whether you must advertise this public /27 to them using RIP or some other dynamic routing protocol (like some ISPs require).
You also haven’t stated how you (plan to) connect the clients on LAN side of your router. To assign all the 32 IP s from the /27 to the clients and/or to be able to firewall the traffic among them, you need to use point-to-point links (PPPoE or point-to-point Ethernet); if you don’t mind, you can assign the /27 to a LAN bridge, let the .0 and .31 be gone for network address and broadcast address, and use one more address from there for the Mikrotik itself.
Yes, they send traffic via WAN IP and they setup it statically,
i do not want to make a bridge on LAN, i want to make subnet on LAN and and connect each client to one LAN interface. all done but when i make simple nat rule to route LAN traffic to WAN the LAN IPs work as a local IP not live IP.
NAT rules are not for routing, maybe you mean for redirection? So you want a 1:1 nat between the public /27 and the private /27? Why you consider it better than to assign the public IPs to the clients directly?
When you say you don’t want a bridge but a single LAN port per each client, it sounds like point to point links to me, as if you wanted a single /27 on multiple Ethernet ports, the ports would have to be bridged together.
So post your existing configuration and express what you actually want to achieve.
Make bridge and group all you interfaces and give this bridge the IP of 172.20.18.1 255.255.255.224
(this will become the “default gateway” for all you PC/devices connected on LAN)
Then plug what whatever device you want on the ethernet-ports (all member of the bridge) and you can assign 172.20.18.2 up to 172.20.18.30
Then make sure you have firewall-rules in place in the FORWARD chain !! If you truly want all these hosts with “live” Internet IP you must take care.
If you are not exposing any services to the outside world DROP all packets that arrive destined for 172.29.18.0/27 that have the “SYN” flag set, they are not part of any session.
Etc. you want to have this done GOOD ! before you go live.
Make sure the Mikrotik IS NOT accessible on web-interface or Winbox from “outside” world, so ONLY allow from subnet 172.20.18.0/27 etc,etc.
…and offcourse you need a STATIC route also … point 0.0.0.0/0 (=everything) to the WAN with next-hop the ISP IP 192.168.10.x (don’t know what you put on your side, what ISP puts on their side)
…Or is this PPPoE connection ? Or plain “ethernet” to ISP ?
Securing services https://wiki.mikrotik.com/wiki/Manual:IP/Services
(so really make sure you add your “LAN” subnet in the “address” field. Otherwise it is wide open to the world. I think you want incoming HTTP/SSH/WINBOX from Internet for now.
This can be a bit diffucult, since you need to understand the different “chains” that works with RouterOS.
In your case I would suggest almost full drop of everything coming in the “INPUT” chain so targeted at router IP 137.59.110.2
The the “FORWARD” chain I would also filter in incoming-interface=ethernet_port_of_ISP and then everything that is “invalid” , or “new” (since you do not expect new packets to arrive from ISP for new TCP-sessions, only returning traffic from sessions you created LAN-side initiated.
Also think about UDP traffic etc.
Make sure you run LATEST version of RouterOS !
Make a new “admin” user, name it something different offcourse and then disable/remove the “admin” user.
